Risk is inevitable. It’s simply part of any business, and because of that, managers often believe that understanding risk is an organic process that is either self-evident or intuitive, and based on the nature of the business itself. It’s not a bad approach because it tends to focus on business functions and not just the technology. But by themselves, intuition and experience are inadequate. And because they’re inadequate, a formal risk assessment process is critical to managing the growing, changing, and challenging threat environment that continues to evolve at the frenetic pace of technology today.
A structured risk assessment consists of three basic steps:
- Identify and define the risks to be assessed.
- Decide how likely it is that each risk will occur.
- Decide the magnitude of the impact to the business if a given risk does occur.
Notice that steps two and three are decisions. It’s not always easy to determine just how likely it is that a given risk will occur. Unless we have a good set of data to back up our evaluation, we can only reason, applying common sense to understanding each risk.
Yet to understand and communicate risk throughout the organization it should be quantified. This can be accomplished using a simple risk scoring methodology we are all familiar with. For example, if we use a 1-5 ranking system, we can let 1 = low and 5 = high. Then if a risk is very likely to occur, we rank it a 5. If the risk would have a serious impact on the business, we rank that a 5. Finally, we multiply the 2 together for a risk score of 25. Using this approach over and over we can develop a hierarchy of risks that cascade from high to low, and prioritize which of those to address first. At the same time, it’s important not to make all decisions based on the risk score alone.
Let’s say a risk is very unlikely and we rate it a 1, but if it occurred, the impact on the organization would be catastrophic so we rate that a 5. The total risk score is a 5 and judging by the number alone, should be low on the list of risks needing remediation. At this point we need to look past the numbers and determine our organization’s risk appetite. If we’re willing to live with a risk having potentially catastrophic results, then we would likely not develop a disaster recovery plan nor would we have a disaster recovery site because the risk of complete loss of the data center is usually very low and the cost of a fully functional back up site is high. But most organizations understand that essentially all catastrophic risks need to be addressed and while the scoring approach is very helpful, it cannot be used in a vacuum, leading us back to the application of intuition and experience.
In short, a risk assessment is a structured process used in identifying and classifying risks, deciding what and how much to do about them. Once we’ve agreed on the assessment and classifications, we can focus on the two remaining aspects of risk management: risk remediation and, once that is accomplished, agreement that the remaining (or, residual) risk is acceptable.